Help on Hacked Server

  • Thread starter Thread starter Ted
  • Start date Start date
T

Ted

one of my clients has have a Win2k server, it is a
webserver running IIS and that is all. It is sitting in
a DMZ and it has been hacked recently with numerous
trojans and virus'.

I was able to apply SP4 but I wasn't able to finish the
windows update, most notably the DCOM & Blaster updates.
When I do the windows update the download is fine, except
when it goes to install it I get a dialogue that
says "Setup cannot copy the file netbt.sys, ensure that
the location specified below is correct or change it and
insert "Unknown" in the drive you specify"

And then it gives me a dialogue with a path to ask where
the files are located.

I know that I have cleaned all of the trojans & virus'.
I have a port sniffer that is looking at all traffic. I
did also notice that the customer had the C drive shared
at the root, so I removed this share. Can anyone help
me with this issue?

Also, I dont see any attempts to run cmd.exe from the IIS
& FTP logs, could they have been coming thru the file
share? If so is there a log to let me know what and when
was copied to the system32 directory?

Thanks in advance

Ted
 
For this server, you will get the best security if you format it and
reinstall it, being sure to completely harden it. The reason is there is no
other way to know for sure what other back doors a hacker may have installed
on it.

Whichever you choose, these things may help you:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

CMD.EXE running in the IIS logs comes in through IIS, for example through
URL string requests from clients in the case of the www logs. Those logs
would be one way to see whether a file has successfully been copied, along
with checking the hard drive to look for changes. [for example, a 200
message after the CMD.EXE line might indicate success.] However, other
sorts of attacks do not show up in the logs, such as IIS buffer overflows or
attacks that don't come through IIS. The free Microsoft URLScan tool would
have blocked these IIS attacks.

http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs

I think your customer should really hire a security consultant.
 
Back
Top